HVCI is off Truesight driver is supposed to be blocked by signer, but it is not. (The driver runs fine)
https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/116/324/199/714/008/original/68844926884a13a5.png
So, based on our BSOD, we can conclude that non-HVCI WDAC driver blocking based on signer does work. But didn't I say earlier that it does not?
I'm glad you're paying attention. Yes, based on this test we can conclude that WDAC driver blocking based on signer does indeed work. But blocking based solely on signer never really happens in the real world, since it's important for Windows to be able to boot. So in the real world we have blocking by signer with FileAttrib qualifiers.
This is what's broken with non-HVCI attempts to block things based on signer. (Publisher and friends)
Without a FileAttrib qualifier, Windows will BSOD, thus proving that WDAC is effective in blocking drivers by signer. However, with a FileAttrib qualifier, Windows without HVCI won't bother blocking anything by signer.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.